STIGQter: STIG Summary: Palo Alto Networks ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Palo Alto Networks ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-228837r557387_rule
V-228837
SRG-NET-000131-ALG-000085
PANW-AG-000035
CAT II
10
To deny User-ID on untrusted zones:
Go to Network >> Zones, select the name of the zone.
If the Zone is untrusted, In the Zone window, deselect (uncheck) the Enable User Identification check box.
Select "OK".
Go to Network >> Network Profiles >> Interface Mgmt
Select "Add" to create a new profile or select the name of a profile to edit it.
In the "Interface Management Profile" window, deselect the "User-ID" check box if it is selected.
Select "OK".
Note: This action precludes that particular Interface Management Profile from supporting User-ID.
An interface does not need an Interface Management Profile to operate; only to be managed on that interface.
Go Network >> Interfaces
Each interface is listed; note that there are four tabs - Ethernet, VLAN, Loopback, and Tunnel.
Each type can have an Interface Management Profile applied to it.
View each interface that is in an untrusted security zone; if it has an Interface Management Profile applied to it, the Interface Management Profile must be one that does not have User-ID enabled.
To verify that Windows Management Instrumentation (WMI) probing is unchecked for all untrusted zones:
Go to Network >> Zones, view each zone.
If the Zone is untrusted and if the UserID Enabled column is checked, this is a finding.
Go to Network >> Network Profiles >> Interface Mgmt
View the configured Interface Management Profiles.
Note which Interface Management Profiles have the "User-ID" field enabled (checked).
Go Network >> Interfaces
Each interface is listed; note that there are four tabs - Ethernet, VLAN, Loopback, and Tunnel. Each type can have an Interface Management Profile applied to it.
View each interface that is in an untrusted security zone; if each one has no Interface Management Profile applied, this is not a finding.
If each interface in an untrusted security zone has an Interface Management Profile applied to it, the Interface Management Profile must be one that does not have User-ID enabled; if it does, this is a finding.
V-228837
False
PANW-AG-000035
To verify that Windows Management Instrumentation (WMI) probing is unchecked for all untrusted zones:
Go to Network >> Zones, view each zone.
If the Zone is untrusted and if the UserID Enabled column is checked, this is a finding.
Go to Network >> Network Profiles >> Interface Mgmt
View the configured Interface Management Profiles.
Note which Interface Management Profiles have the "User-ID" field enabled (checked).
Go Network >> Interfaces
Each interface is listed; note that there are four tabs - Ethernet, VLAN, Loopback, and Tunnel. Each type can have an Interface Management Profile applied to it.
View each interface that is in an untrusted security zone; if each one has no Interface Management Profile applied, this is not a finding.
If each interface in an untrusted security zone has an Interface Management Profile applied to it, the Interface Management Profile must be one that does not have User-ID enabled; if it does, this is a finding.
M
4233